Two years ago I wrote that cyber risk is uninsurable. I got a lot of pushback at the time, mainly from self interested people who wrote or brokered cyber!
One thing you have to understand when I make calls like that is I am playing the long game. It may not be obvious that I’m right tomorrow, but it will eventually.
Why do I bring this back up? Because events have proven me right. What’s more, the market doesn’t even realize it yet.
What in the world am I talking about? AI.
What does AI have to do with cyber? Everything.
Ian’s Cyber Law
Think of every online innovation of the last 25 years. What happens? The bad guys exploit it and do it better than the good guys.
In the prior piece, I called this Ian’s Cyber Law:
The bad guys will come up with new tricks twice as fast as the insurers figure out the old ones.
Ian’s Cyber Law
Email begat spam. Websites led to viruses. Social networks fueled scams and bots. The bad guys always come out on top. Why will AI be any different?
Intelligent Ransomware
Think how many people fell for Ransomware 1.0. Now imagine how many are going to get fooled by Ransomware AI.
If AI is going to change the world, how will it not change the hacker world?
AI attacks won’t read like Nigerian Prince scams. They will impersonate people you know and converse just like them. How are people not going to be fooled by this?
Could the rate of successful attempts increase 5x? 10x?
How will the corporate IT department be able to screen for it? How will any of the current “cyber hygiene” practices work?
AI is a bigger threat to cybersecurity than all of the previous threats combined.
Hackernomics
There’s another overlooked angle here. Not only will AI make a given attack more likely to be successful, it also lowers the cost to attempt an attack.
Rather than deploy all those expensive humans to create ransomware scripts, you let the AI do it instead.
So if the bad guys cost/attack is declining and their success rate/attack is rising, what does this mean?
Their unit economics are going through the roof!!!
When returns go up, what does it attract? More new entrants!
So if before I guessed the success rate is up 5-10X on a constant # of attacks, what if the attack rate also goes up 5-10X because it is cheaper to deploy and there are more bad guys participating?
Now, losses are up 25-100X!
Can I prove this is right? No. Can you prove I am wrong? Hell no!
Contrast this to terror where Al Qaeda’s success didn’t make it easier for other terrorists. It made it harder because the government finally took the problem seriously and created deterrents and hunted the bad guys.
There is no evidence this is about to happen with cyber.
Technical Price
So what rate on line do we need for cyber? We have no idea.
History is meaningless. That’s fighting the last war. If AI really is as good at luring innocents as I suspect, it might take a 100 ROL! Actually, more given you have to cover the expense load too.
Insurers are fighting California over being forced to use historical cat loads for home insurance rather than modeled losses – and rightly so. So why do cyber insurers think it’s OK to use a few years of history and believe that suggests anything about the future?
As for replacing history with models? Not an option. The truth is loss trend is unknowable. Anyone who tells you differently has their head in the sand or is trying to sell you a cyber cover.
Maybe someday that will change, but we’re not there yet.
What’s The Solution?
There’s actually a very simple solution. Don’t sell cyber insurance.
Maybe there’s a way to sell it like large account workers comp where the corporate retains most of the risk and the insurer mostly manages the captive and retains a little risk up top with a contingent commission if they help prevent attacks. That might work.
But the product needs to move in that direction. Cyber is not a growth product.
It is the same fallacy as the insuretechs thinking the path to success was growing the top line. It’s the tale as old as (insurance) time about insurers being seduced by the aroma of the premium rather than the stench of the loss.
Frankly, cyber is the most dangerous risk to insurer balance sheets outside of NBC (nuclear, bio, chemical). I didn’t even get into the risk of coordinated attacks by foreign governments (that are impossible to prove so would have to be paid) that could create a massive frequency of severity.
There is no reason to be writing a line of business with large downside risk, which can’t be modeled, and is subject to technical innovation that insurers can’t anticipate.
Shut it down! Before it’s too late.